{{- if (and .Values.installCrdsOnUpgrade.enabled (and (not .Values.noHelmHooks) (eq .Values.controlPlane.environment "kubernetes"))) }}
  {{ $hook := "pre-upgrade,pre-install" }}
  {{- $serviceAccountName := printf "%s-install-crds" (include "kuma.name" .) }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ $serviceAccountName }}
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": "{{ $hook }}"
    "helm.sh/hook-weight": "-1"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
{{- with concat .Values.installCrdsOnUpgrade.imagePullSecrets .Values.global.imagePullSecrets | uniq }}
imagePullSecrets:
  {{- range . }}
  - name: {{ . | quote }}
  {{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "kuma.name" . }}-install-crds
  annotations:
    "helm.sh/hook": "{{ $hook }}"
    "helm.sh/hook-weight": "-1"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
rules:
  - apiGroups:
    - "apiextensions.k8s.io"
    resources:
      - customresourcedefinitions
    verbs:
      - create
      - patch
      - update
      - list
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "kuma.name" . }}-install-crds
  annotations:
    "helm.sh/hook": "{{ $hook }}"
    "helm.sh/hook-weight": "-1"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "kuma.name" . }}-install-crds
subjects:
  - kind: ServiceAccount
    name: {{ $serviceAccountName }}
    namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "kuma.name" . }}-install-crds-scripts
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": "{{ $hook }}"
    "helm.sh/hook-weight": "-1"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
data:
  install_crds.sh: |
    #!/usr/bin/env sh
    set -e

    if [ -s /kuma/crds/crds.yaml ]; then
      echo "/kuma/crds/crds.yaml found and is not empty, adding crds"
      kubectl apply -f /kuma/crds/crds.yaml
    else
      echo "/kuma/crds/crds.yaml not found or empty, it looks like there is no crds to install"
    fi
  save_crds.sh: |
    set -e

    crds="$(kumactl install crds --no-config {{ if .Values.experimental.gatewayAPI }}--experimental-gatewayapi{{end}})"

    if [ -n "${crds}" ]; then
      echo "found crds - saving to /kuma/crds/crds.yaml"
      echo "${crds}" > /kuma/crds/crds.yaml
    fi
---
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ template "kuma.name" . }}-install-crds
  namespace: {{ .Release.Namespace }}
  labels:
  {{ include "kuma.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": "{{ $hook }}"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
spec:
  template:
    metadata:
      name: {{ template "kuma.name" . }}-install-crds-job
      labels:
    {{ include "kuma.labels" . | nindent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      {{- with .Values.hooks.nodeSelector }}
      nodeSelector:
      {{ toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.hooks.tolerations }}
      tolerations:
      {{ toYaml . | nindent 8 }}
      {{- end }}
      restartPolicy: OnFailure
      securityContext:
      {{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
      containers:
        - name: pre-upgrade-job
          image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}"
          securityContext:
          {{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }}
          resources:
             requests:
               cpu: "100m"
               memory: "256Mi"
             limits:
               cpu: "100m"
               memory: "256Mi"
          command: ["/kuma/scripts/install_crds.sh"]
          volumeMounts:
            - mountPath: /kuma/crds
              name: crds
              readOnly: true
            - mountPath: /kuma/scripts
              name: scripts
              readOnly: true
      initContainers:
        - name: pre-upgrade-job-init
          image: {{ include "kuma.formatImage" (dict "image" .Values.kumactl.image "root" $) | quote }}
          securityContext:
          {{- toYaml .Values.hooks.containerSecurityContext | trim | nindent 12 }}
          resources:
             requests:
               cpu: "100m"
               memory: "256Mi"
             limits:
               cpu: "100m"
               memory: "256Mi"
          volumeMounts:
          - mountPath: /kuma/crds
            name: crds
          - mountPath: /kuma/scripts
            name: scripts
            readOnly: true
          command: ["sh", "-c"]
          args: ["/kuma/scripts/save_crds.sh"]
      volumes:
        - name: scripts
          configMap:
            name: {{ include "kuma.name" . }}-install-crds-scripts
            defaultMode: 0755
        - name: crds
          emptyDir: {}
{{- end }}
